29 April 2015

  |  CBI America

Update

U.S Cybersecurity policy update

The House of Representatives this month passed two cybersecurity bills designed to strengthen public-private information sharing.

After several months of discussion, the House recently passed two cybersecurity bills designed to promote greater cooperation between the private and public sectors in sharing information related to threat detection and prevention. This recent legislative action reflects bipartisan support for greater participation from companies, as persistent cyberattacks against government agencies and private firms have raised serious concerns about the state of U.S. cybersecurity.

One of the bills, introduced by Representatives Michael McCaul (R-TX) and John Ratcliffe (R-TX), is the National Cybersecurity Protection Advancement (NCPA) Act. The NCPA Act is designed to encourage data sharing between the private sector and the government in order to improve cyber-threat detection and prevention. Regarded as a pro-security, pro-privacy bill, the NCPA Act would ensure that the sharing of cyber-threats is transparent and timely. The bill would bolster the National Cybersecurity and Communications Integration Center’s (NCCIC) role as the lead civilian agency for reporting and sharing cybersecurity risks and incidents.

The second bill, known as the Protecting Cyber Networks Act, is also intended to help network operators share information more efficiently in order to improve the detection and elimination of cyber threats. 

Previous efforts to pass similar legislation have faltered over the issue of liability protection for companies, such as in regards to trade secrets or customer information. The NCPA Act addresses these concerns by providing liability protections to companies in exchange for voluntary sharing of cyber-threat data with the Department of Homeland Security's (DHS). Under the NCPA Act, private companies will be required to 'scrub' and remove personal information unrelated to the cybersecurity risk before sharing with the DHS in order to protect company liability and consumer privacy.

Both bills provide immunity to companies from consumer lawsuits relating to the sharing of private information, although it is unclear how this process will work. The two bills differ significantly over how companies would share information and receive liability protection, as The Protecting Cyber Networks Act would allow companies to share data with any federal agency except the Department of Defence to receive immunity, while the NCPA Act would specifically require companies to coordinate with the NCCIC, a new division within the Homeland Security Department.